Enhancing entropy in pseudo-random number generators using remote sources

ABSTRACT

A system, apparatus, and method are provided for enhancing entropy in a pseudo-random number generator (PRNG) using remote sources. According to one embodiment of the present invention, first, the PRNG&#39;s internal state is initialized. Local seeding information is then obtained from a local host. For added security, additional seeding information is obtained from one or more remote entropy servers operating independently to each maintain a constantly updated state pool. Finally, the PRNG is stirred based upon the local seeding information, and the additional seeding information.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever.

FIELD OF THE INVENTION

This invention relates to enhancing entropy, in general, and morespecifically to entropy amplification in pseudo-random numbers usingremote sources.

BACKGROUND OF THE INVENTION

Securing data through encryption/decryption methods, especially, whentransmitting it over insecure channels, from cryptographic attacks iswidely known. Traditionally, a method of symmetric encryption was usedto secure the information between two users. The method of symmetricencryption required creating a single secret key known only to the twousers. However, the secrecy was only guaranteed to the extent the twousers kept the key secret. Additionally, the method of prior exchange ofthe key made the system even more cumbersome. To make the system moresecure and reliable, the public-key system was introduced.

In a public-key system, also known as the asymmetric or two-key system,each user's key has a public and private component. The public componentgenerates public encryption, while the private component generatesprivate decryption of the encrypted text. This makes the system muchmore secure, because it is difficult to break an encryption, unless thecorresponding private key is also known.

A typical public-key system uses a pseudo-random number generator (PRNG)to generate random numbers through a deterministic process.Consequently, the security of such system is dependent upon having astrong pseudo-random number generation (PRNG) algorithm. A PRNG uses arandom internal state and a process called stirring to produce a streamof bits that satisfy various statistical tests of cryptographicrandomness. The internal state is initialized with a random value calleda seed. The seed must have a high level of entropy to ensure that thestream of bits are sufficiently hard to guess. Existing methods ofgathering entropy use information gathered from a local system to seedthe PRNG. If the seed gathered from the local system does not havesufficient entropy, an attacker can guess the output of the PRNG withrelative ease, and break the system. This is especially true inconstrained environments such as the Java Virtual Machine.

BRIEF DESCRIPTION OF THE DRAWINGS

The appended claims set forth the features of the invention withparticularity. The invention, together with its advantages, may be bestunderstood from the following detailed description taken in conjunctionwith the accompanying drawings of which:

FIG. 1 is a block diagram of a typical computer system upon which oneembodiment of the present invention may be implemented;

FIG. 2 is a block diagram illustrating an exemplary network upon whichthe present invention may be implemented;

FIG. 3 is a block diagram illustrating symmetric-key and public-keyencryptions,

FIG. 4 is a block diagram illustrating logic for using a set ofredundant entropy servers, according to one embodiment of the presentinvention;

FIG. 5 is a flow diagram illustrating the process for using a set ofredundant entropy servers, according to one embodiment of the presentinvention;

FIG. 6 is a block diagram illustrating logic for implementing a secureentropy collection protocol, according to one embodiment of the presentinvention;

FIG. 7 is a flow diagram illustrating the process for implementing asecure entropy collection protocol, according to one embodiment of thepresent invention.

DETAILED DESCRIPTION

A method and apparatus are described for enhancing entropy in apseudo-random number generator using a remote source. Broadly stated,embodiments of the present invention allows the stirring of apseudo-random number generator using both the local seeding informationand, for additional security, remote seeding information generated byremote entropy servers.

According to one embodiment, one or more remote entropy servers generateseeding information, which is securely gathered along with the localseeding information. An attacker can easily break into a system usingonly the local seeding information, and predict the state of a PRNG. Theuse of the remote seeding information adds to the randomness of the PRNGmaking a system much more secure from cryptographic attacks. Protectingsystems from cryptographic attacks by enhancing entropy using remotesources can secure all types of transactions, such as emailing, bakingtransactions, and communication between applications.

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however, toone skilled in the art that the present invention may be practicedwithout some of these specific details. In other instances, well-knownstructures and devices are shown in block diagram form.

The present invention includes various steps, which will be describedbelow. The steps of the present invention may be performed by hardwarecomponents or may be embodied in machine-executable instructions, whichmay be used to cause a general-purpose or special-purpose processor orlogic circuits programmed with the instructions to perform the steps.Alternatively, the steps may be performed by a combination of hardwareand software.

The present invention may be provided as a computer program product,which may include a machine-readable medium having stored thereoninstructions which may be used to program a computer (or otherelectronic devices) to perform a process according to the presentinvention. The machine-readable medium may include, but is not limitedto, floppy diskettes, optical disks, CD-ROMs, and magneto-optical disks,ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, flash memory, orother type of media/machine-readable medium suitable for storingelectronic instructions. Moreover, the present invention may also bedownloaded as a computer program product, wherein the program may betransferred from a remote computer to a requesting computer by way ofdata signals embodied in a carrier wave or other propagation medium viaa communication link (e.g., a modem or network connection).

FIG. 1 is a block diagram of a typical computer system upon which oneembodiment of the present invention may be implemented. Computer system100 comprises a bus or other communication means 101 for communicatinginformation, and a processing means such as processor 102 coupled withbus 101 for processing information. Computer system 100 furthercomprises a random access memory (RAM) or other dynamic storage device104 (referred to as main memory), coupled to bus 101 for storinginformation and instructions to be executed by processor 102. Mainmemory 104 also may be used for storing temporary variables or otherintermediate information during execution of instructions by processor102. Computer system 100 also comprises a read only memory (ROM) and/orother static storage device 106 coupled to bus 101 for storing staticinformation and instructions for processor 102.

A data storage device 107 such as a magnetic disk or optical disc andits corresponding drive may also be coupled to computer system 100 forstoring information and instructions. Computer system 100 can also becoupled via bus 101 to a display device 121, such as a cathode ray tube(CRT) or Liquid Crystal Display (LCD), for displaying information to anend user. Typically, an alphanumeric input device 122, includingalphanumeric and other keys, may be coupled to bus 101 for communicatinginformation and/or command selections to processor 102. Another type ofuser input device is cursor control 123, such as a mouse, a trackball,or cursor direction keys for communicating direction information andcommand selections to processor 102 and for controlling cursor movementon display 121.

A communication device 125 is also coupled to bus 101. The communicationdevice 125 may include a modem, a network interface card, or otherwell-known interface devices, such as those used for coupling toEthernet, token ring, or other types of physical attachment for purposesof providing a communication link to support a local or wide areanetwork, for example. In this manner, the computer system 100 may becoupled to a number of clients and/or servers via a conventional networkinfrastructure, such as a company's Intranet and/or the Internet, forexample.

It is appreciated that a lesser or more equipped computer system thanthe example described above may be desirable for certainimplementations. Therefore, the configuration of computer system 100will vary from implementation to implementation depending upon numerousfactors, such as price constraints, performance requirements,technological improvements, and/or other circumstances.

It should be noted that, while the steps described herein may beperformed under the control of a programmed processor, such as processor102, in alternative embodiments, the steps may be fully or partiallyimplemented by any programmable or hard-coded logic, such as FieldProgrammable Gate Arrays (FPGAs), TTL logic, or Application SpecificIntegrated Circuits (ASICs), for example. Additionally, the method ofthe present invention may be performed by any combination of programmedgeneral-purpose computer components and/or custom hardware components.Therefore, nothing disclosed herein should be construed as limiting thepresent invention to a particular embodiment wherein the recited stepsare performed by a specific combination of hardware components.

FIG. 2 is a block diagram illustrating an exemplary network upon whichthe present invention may be implemented. In this example, an Ethernetnetwork 210 is shown. Such a network may utilize Transmission ControlProtocol/Internet Protocol (TCP/IP). Of course, many other types ofnetworks and protocols are available and are commonly used. However, forillustrative purposes, Ethernet and TCP/IP will be referred.

Connected to this network 210 is a local system 220. In addition to thelocal system 220, one or more remote independent systems 230 and 240 areconnected to the network 210. As illustrated, the remote independentsystems 230 and 240 include entropy servers 230 and 240. The number andarrangement of this equipment may vary depending on the application.

FIGS. 3A and 3B are block diagrams illustrating symmetric-key andpublic-key encryptions. As illustrated, the original data 305 isencrypted 315 using the symmetric-key 310. The same symmetric-key 310 isused to decrypt the data into its original form 320. The symmetric-keyprocess 300 is extremely time-and processor-efficient, because onlynative processor instructions such as addition, bitwise logical-OR,bitwise logical-AND, and bitwise logical-exclusive-OR based on the keyare used to encrypt and decrypt the text. However, the system is securedonly to the extent that the two parties can keep the key secret.

In contrast, as illustrated by FIG. 3B, Public-key encryption 350 uses apublic key 360, and a private key 370 to obtain the encrypted data 365and decrypted data 375, respectively. In public-key encryption, the text355 is encrypted 365, with the receiving party's public key 360. Uponreception, the receiver may decrypt 375 the encrypted text 365 using thecorresponding private key 370. Since only the private key 370 is keptsecret, while the public key 360 is openly distributed, the need forboth parties to share a secret is eliminated.

Data is most often exchanged between parties encrypted with a symmetrickey, and the symmetric key is encrypted with the public key of thereceiving party and sent with the encrypted data. Thus, it has theperformance benefits of symmetric encryption, with the advantages ofpublic-key encryption. Encrypting a symmetric key with the recipient'spublic key is called a key exchange. The entire process of encryptingdata with a symmetric key, encrypting the symmetric key, and sendingencrypted data and encrypted symmetric key to the recipient is oftenreferred to as “encrypting with the recipient's public key.” It will beused this way for the rest of the description.

FIG. 4 is a block diagram illustrating logic for enhancing entropy usinga set of redundant entropy servers (see FIG. 2), according to oneembodiment of the present invention. As illustrated, a local system 405comprises a pseudo-random number generator (PRNG) 415, and at least asystem of gathering local seeding information 410, and the stirringprocess 425. However, the local system 405, according to one embodimentof the present invention, also gathers remote seeding information 420generated by one or more remote entropy servers 430 and 445. The remoteentropy servers 430 and 445 comprise a random state machine 435 and 450,and generate seeding information 440 and 455 to later stir the PRNG 425.

Generally, a PRNG uses a random internal state and the stirring processto produce a stream of bits that satisfy various statistical tests ofcryptographic randomness. The internal state is initialized with arandom value called a seed. The seed must have a high level of entropyto ensure that the stream of bits is sufficiently hard to guess.Typically methods of gathering entropy include using seeding informationgathered 410 from the local system 405 to seed and stir the PRNG 425.However, unless the seeding information gathered 410 from the localsystem 405 has sufficient entropy, an attacker can guess the output ofthe PRNG 415 with relative ease, and break into the system.

To provide further security, according to one embodiment of the presentinvention, additional seeding information is obtained 420 from one ormore remote entropy servers 430 and 445, using a secured link 460. Theremote entropy servers 430 and 445, which comprise random state machines435 and 450, generate the additional seeding information 440 and 455.The process of securely obtaining seeding information 420 from one ormore remote entropy servers 430 and 445 is repeated for redundantentropy servers. The additional seeding information generated 440 and455, by the remote entropy servers 430 and 445, is gathered 420, inaddition to the local seeding information 410, for the stirring process425.

The stirring process 425 involves receiving and mixing of the gatheredlocal seeding information 410, and remote seeding information 420. Usingthe combination of local and remote seeding information provides theunpredictable state that a system must have in order to fully secure theinformation. The security of a system depends on having acryptographically secure PRNG algorithm. It is easy for an attacker topredict the state of a PRNG if only the local seeding information isutilized. However, with the stirring process 425 using local and remoteseeding information 425, the much-needed entropy is amplified, makingthe system extremely secure, and difficult to break into for theattacker. Thus, the stirring process 425 of the present inventionprovides security against cryptographic breaks when two applicationscommunicate with each other, or even when information is sent from onecomputer to another over the Internet.

According to one embodiment of the present invention, secure datacollection from entropy servers 420 is done using a privacy protocol,such as a Secure Sockets Layer (SSL) or Transport Layer Security (TLS).This prevents an attacker from getting a copy of the data supplied bythe entropy server and reproducing the PRNG state on his machine. If theexchange is not done securely, its value could be greatly diminished.Additionally, privacy protocols, such as SSL and TLS, themselves requireunpredictable random numbers to be secured. Thus, in environmentsrequiring remote entropy servers, the privacy protocols may not beacceptable for securing the exchange, and therefore, an alternative maybe required.

According to one embodiment of the present invention, an entropy server,which is a machine or piece of software, maintains a constantly updatedrandom state pool that is used to supply hosts with seeding informationthat can be stirred into their PRNG state value. An attacker is morelikely to be able to negatively influence the initial state seeding, andsucceed when only one entropy server is used. Hence, according to oneembodiment of the present invention, a local host may use more than oneentropy server so that the attacker cannot influence the initial stateseed by compromising a single entropy server.

FIG. 5 is a flow diagram illustrating a process for enhancing entropyusing a set of redundant entropy servers, according to one embodiment ofthe present invention. First, a PRNG is initialized in processing block505. When a local host requires a PRNG, it seeds the initial state usinglocally unpredictable information in processing block 510. The localsystem seeding information is obtained in processing block 510. Further,seeding information is also securely obtained from one or more remoteentropy servers in processing block 515. If there are no redundantservers in decision block 520, the PRNG is stirred in processing block525. However, the process of obtaining seeding information is repeatedfor each redundant entropy server in decision block 520. According toone embodiment of the present invention, a local host may use more thanone entropy server so that the attacker cannot influence the initialstate seed by compromising a single entropy server. Finally, the PRNG isstirred using both the local and remote seeding information inprocessing block 525.

FIG. 6 is a block diagram illustrating logic for implementing a secureentropy collection protocol, according to one embodiment of the presentinvention. In situations in which it is undesirable to use a standardprivacy protocol or when a standard privacy protocol is unavailable, asecure entropy collection protocol may be used to interact with one ormore entropy servers. For instance, in an environment requiring remoteentropy server, the privacy protocols may not be acceptable for securingthe exchange, because the privacy protocols themselves requireunpredictable random numbers to be secured.

According to one embodiment of the present invention, on the host-side600, a temporary asymmetric key pair is generated 605. The temporarypublic key created 605 on the host-side 600 is then encrypted with aremote entropy server's public key 610. The encrypted public key is thensent to the remote entropy server 650. As discussed above, in apublic-key system there is a corresponding private key to a public key.Generally, the private key is used to decrypt the corresponding publickey's encrypted information. Thus, on the server-side 650, the host'stemporary public key is then decrypted using the server's private key620.

The server then generates random data 625, and encrypts it using thehost's temporary public key 630. The encrypted random data is sent tothe host 635. The random data is received on the host-side 600, and thendecrypted using the host's temporary private key 640. Finally, theresult of the decryption of the random data is used to stir the internalstate of the local PRNG 645.

According to one embodiment of the present invention, random states fromone or more external sources (e.g., redundant entropy servers) are addedwhen gathering seeding information. This method provides additionalsecurity, because an attacker who is attempting to perform acryptographic attack is likely to fail in predicting the random statesfrom multiple external sources. In other words, the method allows thestate of multiple independent systems to securely contribute to thestrength of the local PRNG output. Thus, eliminating cryptographicbreaks into a system by having strong and remote sources of randomness.

FIG. 7 is a flow diagram illustrating the process for implementing asecure entropy collection protocol, according to one embodiment of thepresent invention. In situations in which it is undesirable to use astandard privacy protocol or when a standard privacy protocol isunavailable, a secure entropy collection protocol may be used tointeract with one or more entropy servers. First, on the host-side 600,a temporary asymmetric key pair is generated in processing block 705.The temporary public key created on the host-side is then encrypted witha remote server's public key in processing block 710. The encryptedpublic key is sent to the remote server in processing block 715. Then,on the server-side, the host's temporary public key is decrypted usingthe server's private key in processing block 720.

The server then generates random data in processing block 725, andencrypts it using the host's temporary public key in processing block730. The encrypted random data is then sent to the host in processingblock 735. The random data is received by the host, and then decryptedusing the host's temporary private key in processing block 740. Finally,the result of the decryption of the random data is used to stir theinternal state of the local PRNG in processing block 745.

1. A method comprising: initializing a pseudo-random number generator(PRNG); obtaining local seeding information from a host; securelyobtaining additional seeding information from one or more remote entropyservers using a secure entropy collection protocol, wherein the secureentropy collection protocol to perform: generating a key pair including,a temporary asymmetric public key and a temporary asymmetric privatekey, encrypting the temporary public key with a public key associatedwith a remote entropy server, decrypting the temporary public key with aprivate key associated with the remote entropy server, encrypting theadditional seeding information with the temporary public key, anddecrypting the additional seeding information with the temporary privatekey; and stirring the PRNG with the local seeding information and theadditional seeding information.
 2. The method of claim 1, wherein theinitializing of the PRNG comprises initializing an internal state of thePRNG with a random value.
 3. The method of claim 2, wherein the randomvalue comprises a seed.
 4. (canceled)
 5. The method of claim 1, whereinthe one or more remote entropy servers maintain random state pool tosupply the host with the random value.
 6. The method of claim 1, whereinthe securely obtaining of the seeding information from the one or moreremote entropy servers includes using a privacy protocol.
 7. The methodof claim 6, wherein the privacy protocol comprises secure sockets layer(SSL) protocol.
 8. The method of claim 6, wherein the privacy protocolcomprises transport layer security (TLS) protocol.
 9. The method ofclaim 1, wherein the stirring of the PRNG comprises producing acryptographically random stream of bits. 10-16. (canceled)
 17. Anentropy enhancing system comprising: a local system including a host anda pseudo-random number generator (PRNG), the local system to initializethe PRNG by obtaining local seeding information from the host, securelyobtain additional seeding information from one or more remote entropyservers using a secure entropy collection protocol, the secure entropycollection protocol to perform: generating a key pair including atemporary asymmetric public key and a temporary asymmetric private key,encrypting the temporary public key with a public key associated with aremote entropy server, decrypting the temporary public key with aprivate key associated with the remote entropy server, encrypting theadditional seeding information with the temporary public key, anddecrypting the additional seeding information with the temporary privatekey; and stir the PRNG with the local seeding information and theadditional seeding information.
 18. The entropy enhancing system ofclaim 17, wherein the local system generates the local seedinginformation at the host.
 19. The entropy enhancing system of claim 17,wherein the one or more remote systems generates the remote seedinginformation at the one or more entropy servers.
 20. The entropyenhancing system of claim 17, wherein the entropy servers comprise oneor more of the following: hardware and software. 21-24. (canceled)
 25. Amachine-readable medium having stored thereon data representing sets ofinstructions which, when executed by a machine, cause the machine to:initialize a pseudo-random number generator (PRNG); obtain local seedinginformation from a host; securely obtain additional seeding informationfrom one or more remote entropy servers using a secure entropycollection protocol, wherein the secure entropy collection protocol to:generate a key pair including a temporary asymmetric public key and atemporary asymmetric private key, encrypt the temporary public key witha public key associated with a remote entropy server, decrypt thetemporary public key with a private key associated with the remoteentropy server, encrypt the additional seeding information with thetemporary public key, and decrypt the additional seeding informationwith the temporary private key; and stir the PRNG with the local seedinginformation and the additional seeding information.
 26. Themachine-readable medium of claim 25, wherein the initializing of thePRNG comprises initializing an internal state of the PRNG with a randomvalue.
 27. The machine-readable medium of claim 26, wherein the randomvalue comprises a seed.
 28. (canceled)
 29. The machine-readable mediumof claim 25, wherein the one or more remote entropy servers maintainrandom state pool to supply the host with the random value.
 30. Themachine-readable medium of claim 25, wherein the stirring of the PRNGcomprises producing a cryptographically random stream of bits.